-
Notifications
You must be signed in to change notification settings - Fork 297
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acl:orgin in ACL docs not working? #1362
Comments
Same on localhost. I added an solid:ACL accessDenied: checking access to <https://michielbdejong.localhost:8443/public/bookmarks.ttl> by null and origin <https://poddit.app> +3ms
But even with that, it's a 403 and the logs show: solid:ACL Using ACL https://michielbdejong.localhost:8443/public/bookmarks.ttl.acl for ./bookmarks.ttl +35ms
solid:ACL 1 direct authentications about <https://michielbdejong.localhost:8443/public/bookmarks.ttl> +1ms
solid:ACL accessDenied: checking access to <https://michielbdejong.localhost:8443/public/bookmarks.ttl> by <https://michielbdejong.localhost:8443/profile/card#me> and origin <https://poddit.app> +3ms
solid:ACL 1 direct authentications about <https://michielbdejong.localhost:8443/public/bookmarks.ttl> +1ms
solid:ACL Checking auth <https://michielbdejong.localhost:8443/public/bookmarks.ttl.acl#owner> with agent <https://michielbdejong.localhost:8443/profile/card#me> +0ms
solid:ACL Agent explicitly authenticated. +0ms
solid:ACL Origin check FAILED. Origin not trusted. +0ms
solid:ACL Check failed: Origin Unauthorized +0ms
solid:ACL accessDenied: modeURIorReasons: ["Origin Unauthorized"] +0ms
solid:ACL checking <http://www.w3.org/ns/auth/acl#Write> +0ms
solid:ACL MODE REQUIRED NOT ALLOWED: <http://www.w3.org/ns/auth/acl#Write> Denying with Origin Unauthorized +0ms
solid:ACL Write access denied to https://michielbdejong.localhost:8443/profile/card#me: 403 - Origin Unauthorized +0ms
solid:server Error page because of: [HTTPError: Origin Unauthorized] {
name: 'HTTPError',
message: 'Origin Unauthorized',
status: 403
} +0ms
solid:server Display no-permission for https://michielbdejong.localhost:8443/public/bookmarks.ttl +0ms |
Yeah, this looks like a bug. https://github.com/solid/acl-check/blob/master/src/acl-check.js#L154 seems to be checking for it, but for some reason this fails. |
The problem is that it only checks the first Authorization entry it finds. |
The bug is in https://github.com/solid/acl-check but leaving it here so that we don't lose track of it. |
Added the 'blocker' label because it's blocking our work on the launcher app. |
OK, semi-false alarm, you need to specify the agent in the origin entry, and not use absolute URLs on localhost, then it works: <https://michielbdejong.localhost:8443/bookmarks.ttl.acl#15743265788207925285236500494> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control>;
<http://www.w3.org/ns/auth/acl#agent> <https://michielbdejong.localhost:8443/profile/card#me>.
<https://michielbdejong.localhost:8443/bookmarks.ttl.acl#157432657882009127052789542844> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>;
<http://www.w3.org/ns/auth/acl#agent> <https://michielbdejong.localhost:8443/profile/card#me>;
<http://www.w3.org/ns/auth/acl#origin> <https://poddit.app>.
<https://michielbdejong.localhost:8443/bookmarks.ttl.acl#15743265788203481143138502367> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>;
<http://www.w3.org/ns/auth/acl#agentClass> <http://xmlns.com/foaf/0.1/Agent>. |
Thanks Michiel, that did the trick, although absolute URLs were fine:
|
Apparently you still also have to indicate which WebID uses the app at a given origin, which I guess makes sense. Thanks Michiel for figuring that out: nodeSolidServer/node-solid-server#1362 (comment)
And just to follow up on the question we had during the stand-up: The last one <https://vincent.localhost:8443/bookmarks.ttl.acl#157433418059917080391260297578> a <http://www.w3.org/ns/auth/acl#Authorization>;
<http://www.w3.org/ns/auth/acl#accessTo> <https://vincent.localhost:8443/bookmarks.ttl>;
<http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>;
<http://www.w3.org/ns/auth/acl#agentClass> <http://xmlns.com/foaf/0.1/Agent>. works cross-origin because for public resources, the origin check is skipped, see https://github.com/solid/acl-check/blob/master/src/acl-check.js#L159 This is also clearly documented in the first bullet point of https://github.com/solid/web-access-control-spec#referring-to-origins-ie-web-apps |
Using the Sharing pane, I added poddit.app as an app that has access to https://michielbdejong.inrupt.net/bookmarks.ttl. So now I have the following ACL doc at https://michielbdejong.inrupt.net/bookmarks.ttl.acl:
I would expect poddit.app to be allowed to access https://michielbdejong.inrupt.net/bookmarks.ttl but when trying to use the app to add a bookmark, I see a 403 error in the browser console. What am I doing wrong here?
The text was updated successfully, but these errors were encountered: